What is Office 365 security score? Why is it important?

Apart from the features described on the Office 365 roadmap, there are some hidden gems which might slip under the radar. One such gem is the Office 365 security score. It uses a set of PowerShell scripts which gather configuration related information from your Office 365 installation. It then evaluates this data against several criteria to calculate a score. This score represents the state of your security and provides recommendations on how it may be improved.

What is ‘security score’?

The core idea of the Office 365 security score is to take all your behavioral and configuration options related to cloud security into one framework. The idea is to enable users to take action in order to achieve improved scores over time. Instead of constructing a model which categorizes the level into low severity, moderate and critical, a scoring model has been created.
After being in preview mode since Aug 2016, Microsoft started calculating the scores for the security settings for commercial customers in Feb 2017. Further, additional advice has been given as to how actions like activating multi-factor authentication can influence the security scores. At least one major insurer has announced that this rating would be taken into account when pricing cybersecurity policies. What is it all about? Why is it important? Read on to find out.


Image source: https://support.office.com/

What is Office 365 security score all about?

Office 365 security score is an analytics tool that will help you understand what actions you have taken in order to reduce the risk faced by your data in Office 365, and show you what can be done to further reduce that risk. You can conceive of it as being a risk score or a credit score type number for security.
Up until Feb 2017, the number of parameters that was mentioned amounted to 27 security configurations and behaviors impacting data security in an entity’s Office 365 environment. After Feb 2017, users are now graded for security on as many as 77 factors. These 77 controls represent all the possible behaviors and security configurations that customers can adopt in order to reduce the risk to their Office 365 data. Based on the extent to which each of the controls reduced a set of risks, each control is awarded some points.

What are the applications?

Microsoft suggests 4 applications for the security score data:
• Monitor and report the score in reporting tools downstream
• Track the security configuration baseline
• Data integration into cybersecurity insurance or compliance applications’
• For integration into CASB or SIEM in order to drive a multi-cloud or hybrid framework used for security analytics
What the security score does is that it permits administrators to compare their security levels with those of 85 million business customers of Office 365.

What does Office 365 security score express?

The score is presented as a dashboard and multiple runs of the tool are presented by the Score Viewer for historical purposes. Each criterion that is evaluated is listed as a FIX IT or as a GOOD result, with the FIX IT result being linked into a general configuration area.
The Secure score is not an absolute measure of the probability of your system being breached. All it indicates is the extent you have adopted controls that can reduce the risk of being breached. Secure score is not a guarantee in many manner. The denominator of the score is not any kind of a goal to achieve. The reason is that many of the controls are quite aggressive and will have a deleterious effect on your users productivity. It’s all about putting in the controls that maintain a nice balance between security and user productivity.
The Score summary expresses the actual score value. The Risk Assessment section shows the top threats you face for your particular set of behaviors and configurations.
The Office 365 average secure score is calculated from the secure scores of all the customers. You can use this score as a frame of comparison to see how you fare against the average.
The modeler panel shows you recommendations for what actions you can take and the target score you can achieve if you implement all those recommendations. The action pane shows you a description of the suggested control, an explanation for why it would be an effective risk mitigation and what was observed about your configuration. The third panel in this section is a pane fly out which explains exactly what is going to be changed and what will be the effect of that on the users. The Launch now link will permit you to make the appropriate change from the same panel.
The Score Analyzer panel shows the variation of your secure score over time in the form of a line graph.

Image source: https://support.office.com/

How can it be accessed and what system installation does it require?

The Secure Score tool can be accessed from the URL: https://o365securescore.azurewebsites.net. In its current form, the tool needs you to have PowerShell modules for several components installed. So, you will basically need the PowerShell modules for each of the following:
• Azure RMS
• Azure AD
• Azure
• Skype for Business
• SharePoint online
If you already have these installed on your machine, you will not be prompted. Otherwise, the score and the scripts will point you to the respective download links.
Once the prerequisites are installed, the Secure score collector will be downloaded, which is nothing but a few PowerShell modules and scripts. While running the collector, there are a few points where you are questioned if some activities are illicit or weird. When the scripts are running, you can easily notice how the tool is early in development, the output is a bit raw and the logs include some statements like “Everything is square”. Some of the checks such as the mailbox checks look like they would take a large amount of time in a large environment. Once data collection is complete, it is uploaded to the Microsoft website for further analysis.

Author: Rahul Sharma